堆栈内存溢出
  简体   繁体   English

为什么与 ISTIO 集成的 Cert Manager(和 Lets encrypt)无法完成 HTTP01 挑战

[英]Why Cert Manager (and Lets encrypt) integrating with ISTIO fails to complete HTTP01 challenge

 原文  2021-02-07 02:33:50       kubernetes/ dns/ istio/ lets-encrypt/ cert-manager

问题描述

I am trying to integrate ISTIO with cert manager following the docs here: https://istio.io/latest/docs/ops/integrations/certmanager/我正在尝试按照此处的文档将 ISTIO 与证书管理器集成: https://istio.io/latest/docs/ops/integrations/certmanager/

But I got the error saying:但我收到错误消息:

Waiting for HTTP-01 challenge propagation:
failed to perform self check GET request 'http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs': 
Get "http://<domain>/.well-known/acme-challenge/rhLUqegNfgpWkwIlKDUTunTbD_DTwrH4oRvtHKkNJZs":
dial tcp <IP>:80: connect: connection refused

Cert manager version: V1.1.0证书管理器版本:V1.1.0

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml

I also created an A record with IP address of ISTIO ingress on GKE for my domain on DNS server.我还在 DNS 服务器上为我的域创建了一条 A 记录,其中包含 GKE 上 ISTIO 入口的 IP 地址。

And here is the config I used:这是我使用的配置:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: istio-system
spec:
  acme:
    # Let's Encrypt uses this to contact you about expiring
    # certificates, and issues related to your account.
    email: <email>
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ingressgateway-certs
  namespace: istio-system
spec:
  secretName: ingressgateway-certs
  commonName: <domain>
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  dnsNames:
  - <domain>

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ingress-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: ingressgateway-certs
    hosts:
    - <domain>

Thanks谢谢

1 个解决方案

解决方案1
 1 已采纳  2021-02-10 22:15:22

Solved.解决了。 The ingress class field in ClusterIssuer needs to be changed to istio . ClusterIssuer中的ingress class字段需要更改为istio

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 证书管理器:让我们用 nginx 加密 HTTP01 挑战(没有入口) - cert-manager: Let's Encrypt HTTP01 challenge with nginx (without ingress) 启用重写目标时,无法访问 cert-manager HTTP01 证书质询 - cert-manager HTTP01 certificate challenge is inaccessible when rewrite-target is enabled 证书管理器无法通过 cloudflare 完成 dns01 挑战 - Cert-manager fails to complete dns01 challenge with cloudflare Kubernetes Cert-Manager 无法让 http01 ACME challange 工作 - Kubernetes Cert-Manager can't get http01 ACME challange to work 让我们在 kubernetes 中使用 Certbot 进行加密失败(尽管可以与 cert-manager 一起使用) - Lets Encrypt using Certbot fails in kubernetes (works with cert-manager though) aks cert-manager不会使用let-encrypt创建证书 - aks cert-manager does not create a cert with lets-encrypt Baremetal 中的 Kubernetes 证书管理器问题:等待 HTTP-01 挑战传播:错误的状态代码“403”,预期为“200” - Kubernetes Cert-manager issue in Baremetal: Waiting for HTTP-01 challenge propagation: wrong status code '403', expected '200' cert-manager challange 卡在等待`等待 http-01 质询传播:未能执行自检 GET 请求` - cert-manager challange stuck in waiting `Waiting for http-01 challenge propagation: failed to perform self check GET request` 证书管理器 dns01 质询订单待处理 - Cert-Manager dns01 challenge order pending 使用Gateway + VirtualService + http01 + SDS - Using Gateway + VirtualService + http01 + SDS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM